To Err is Human: The Complexity of Security Failures (Keynote)

A presentation at Hacktivity in in Budapest, Hungary by Kelly Shortridge

PDF link:

Humans make mistakes. Information security’s mistake is operating as if humans can be forced to never err. The illusion of “human error” being a satisfactory explanation for security failures holds us back, constricting our feedback loops and creating blind spots. We will never achieve our goal of securing complex systems if we do not analyze problems through a systemic lens rather than childishly pointing fingers.

In this talk, we will explore what we mean by “error” as well as the hindsight and outcome biases that constrain our perspective. Then, we will discuss how infosec tends to cope with failure, from blaming humans to implementing rigid procedures. Finally, we will conclude by delving into solutions infosec can implement to help our organizations better cope with failure, including the adoption of a systems perspective, chaos security engineering, and blameless culture.


The following resources were mentioned during the presentation or are useful additional information.

Buzz and feedback

Here’s what was said about this presentation on social media.